Ken44 Posted February 3, 2010 Share Posted February 3, 2010 I will let you know if it works Hi. I am still having problems with the latest $_POST cleaning code above. With the code I get PayPal IPN Invalid [Completed] Without the code IPN works perfectly The only other problem I can see it that $HTTP_POST_VARS: is changed to HTTP_POST_VARS: The ‘$’ is being stripped. Could you please help me allow the $ in the expression Here is my current expression return preg_replace("/[^\p{L}\d\r@ :{}=_.-]/i", "", urldecode($vars)); Thanks Ken Link to comment Share on other sites More sharing options...
rc8 Posted February 8, 2010 Share Posted February 8, 2010 on your favorite web browser...go to www.yourdomain.com/catalog/SecurityPro_installer.php change the adress accordingly to your site, changing yourdomain.com by your actual adress... I did this but got a "fatal error 500". Is there just a simple mysql script to do what this php does? Link to comment Share on other sites More sharing options...
spooks Posted February 8, 2010 Author Share Posted February 8, 2010 I did this but got a "fatal error 500". Is there just a simple mysql script to do what this php does? you would get better answers posting in the correct support thread, SecurityPro has a active & supported thread. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
rc8 Posted February 8, 2010 Share Posted February 8, 2010 you would get better answers posting in the correct support thread, SecurityPro has a active & supported thread. OK can you tell me how to find that perticular thread please? Link to comment Share on other sites More sharing options...
germ Posted February 9, 2010 Share Posted February 9, 2010 OK can you tell me how to find that perticular thread please? [contribution] Security Pro - Querystring protection against hackers If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Jitty25 Posted February 10, 2010 Share Posted February 10, 2010 foriegn chars after: function clean_var ($vars) { add: $foriegn = 'àáâãäåçéèêëìíîïñòóôõöùúûüýÿ'; then replace: return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars)); with: return preg_replace("/[^\w\d\r".$foriegn."@ :{}_.-]/i", "", urldecode($vars)); Please say if there any additions you know to be added to the $foriegn string. Hi Spooks, thank you very much for your time. I have this code in my contact_us.php and others // clean posted vars if (PHP_VERSION >= 4.1) $HTTP_POST_VARS =& $_POST; reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9ěščřžýáíéäëöüďťňůŠČŘŽ@:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } //end clean posted vars As far as I can tell, it works. If I would like to add your new code to the application_top, do I have to remove the older code from all other files? Do you recommend this solution? Thank you very much. Link to comment Share on other sites More sharing options...
spooks Posted February 10, 2010 Author Share Posted February 10, 2010 Hi, no its not a solution I 'recomend' its one I suggest people can do if they want a easy way to add the sanitising, however it does cause issue with some add-on/modules so is best done on a page by page bases. Thats not the latest code by the way. You could look at Sam's Anti-hacker Account Mods wich add's a sanitising function, then a page that accepts post only needs the lines require('includes/functions/account_secure.php'); clean_post (); added at the start. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Jitty25 Posted February 10, 2010 Share Posted February 10, 2010 Thank you, Sam :) Link to comment Share on other sites More sharing options...
Ken44 Posted February 15, 2010 Share Posted February 15, 2010 Hi Sam I could not find a support thread for Sam's anti-hacker account mods V1.4. I gave up with ‘Clean post vars’ in application top and decided to install this contribution instead. So I am installing in stages and so far only installed ‘contact us’ Contact us is working fine, however I have three on my site Contact Us Price match Ask a Question I have duplicated your ‘contact us’ code and replace all instances of FILENAME_CONTACT_US with FILENAME_ASK_A_QUESTION however I still cannot get this to work. After filling in the form and clicking ‘continue’ It is redirecting to my 404 page What am I missing? I hope you can help. Regards Ken Link to comment Share on other sites More sharing options...
spooks Posted February 15, 2010 Author Share Posted February 15, 2010 I could not find a support thread for Sam's anti-hacker account mods V1.4. Links to the support thread are given in the doc & in the zip file & in the download!! I don't know where else I can put them to make it easier to find!! Where did u look? Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
MattReid Posted February 15, 2010 Share Posted February 15, 2010 FORMS: Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars. after: require('includes/application_top.php'); add: // clean posted vars reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } This does not allow for arrays, additional code is needed if they are used. Does this apply to any of the forms on the standard installation of osC2.2rc2a? If so, which? Link to comment Share on other sites More sharing options...
spooks Posted February 15, 2010 Author Share Posted February 15, 2010 Does this apply to any of the forms on the standard installation of osC2.2rc2a? If so, which? Yes, most of the forms use post, I couldn't say of hand which don't You could look at Sam's Anti-hacker Account Mods which includes the latest sanitising code, ensures all your account & contact pages are safe & adds many extra features (PWA, super contact us, ajax State/Province/County pull down, date pull down, post code validation etc etc). That creates a sanitising function that could be used on any page you needed. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
acropolis Posted February 16, 2010 Share Posted February 16, 2010 Security and PCI Compliance We have recently been through the PCI Compliance process for our site http://www.abbeybook.com - it was difficult, but we finally got it done. Our experience may help others running osCommerce 2.2rc2a with SSL who want to accept credit cards securely on the site itself, in addition to PayPal and other proxy methods. Note that our site is hosted by pair.com running *nix and not on our own UK-based Windows 2000 server, which had to be scanned separately. First I want to thank the main contributors whose work was essential for our cleaning up of the website: spooks - for his original post in this thread, which provided links to security measures mentioned below, and sound guidance on folder permissions and removing Filemanager from admin FWR Media - for Security Pro, preventing injection attacks (with very few problems), http://addons.oscommerce.com/info/5752 pixclinic - for Anti XSS addition to htaccess, to stop Cross Site Scripting attacks, http://addons.oscommerce.com/info/6044 Jan Zonjee - for renaming/protecting admin folder + other hints, http://www.oscommerce.com/forums/index.php?showtopic=340995 The first scan of our website by SecurityMetrics came up with a list of vulnerabilities as long as your arm, including 12 Risks in red ranging from level 4 to level 8. In the first iteration, with help from SecurityMetrics shift-working staff, we took all the measures recommended in the contributions mentioned above. We then checked that the site was still operating corectly - which it was. The next scan showed we had got rid of the most serious Risks in the red list, but not 2 at level 5 which had versions of this: Synopsis : The remote web server contains a PHP script that is prone to an information disclosure attack. Description : Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation. Solution: Remove the affected file(s). Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) It took 3 further iterations to remove these exceptions and get the site PCI Certificate. First we took out all instances of phpinfo.php which we could find. Then we removed server.info - which includes phpinfo() - and code references to it in other admin files. Then at last we found a file called info.php - also with phpinfo() - which I had used a long time ago to get the php version. At a quarter to midnight, we passed the test - Bingo! In all of this I would echo Deborah's 2008 comment: It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable. Never hurts to alert you to vulnerabilities. I love the Security Pro. I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*. Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file. That may not be the best way to do it, but it's what I've got for now. Hope this helps others tackle what can be a rather daunting task. Comments welcome from more experienced contributors, particularly if I have got any of this wrong. John Link to comment Share on other sites More sharing options...
tigergirl Posted February 16, 2010 Share Posted February 16, 2010 Security and PCI Compliance It took 3 further iterations to remove these exceptions and get the site PCI Certificate. First we took out all instances of phpinfo.php which we could find. Then we removed server.info - which includes phpinfo() - and code references to it in other admin files. Then at last we found a file called info.php - also with phpinfo() - which I had used a long time ago to get the php version. At a quarter to midnight, we passed the test - Bingo! Thanks for the informative post. I'd be interested to know exact steps taken here as my host seems to think it's fine to keep leaving a php.info file for all to view on the server when they are problem solving (creating). I removed server.info a long time ago and the link to it in admin - is there something else I need to do? Which code references in admin do I need to remove? Cheers I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
natureguy Posted February 17, 2010 Share Posted February 17, 2010 I got a question about the htaccess protection scripts found at the start of this tread. Where or what htaccess files should those be in? There are a lot of folders within OsCommerce that have htaccess files and I need to know which ones I should be modifying or if some of the mods even are applicable to be within some folders. Thanks. I would like to get these done before my site goes live. Link to comment Share on other sites More sharing options...
spooks Posted February 17, 2010 Author Share Posted February 17, 2010 Where or what htaccess files should those be in? .htaccess esp security should generally be placed in the root, if it needs to be placed elsewhere the add-on will say so. if you need more try google http://www.google.co.uk/search?ie=UTF-8&q=htaccess%20made%20easy Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
sarafina Posted February 19, 2010 Share Posted February 19, 2010 I just renamed the admin but now I can't access it. So from domain.com/store/admin to domain.com/store/bingo But when I access the latter site to login, it doesn't work. Any help is appreciated. Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted February 19, 2010 Share Posted February 19, 2010 I just renamed the admin but now I can't access it. So from domain.com/store/admin to domain.com/store/bingo But when I access the latter site to login, it doesn't work. Any help is appreciated. Did you change the configure.php file also, or just rename the folder? Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
sarafina Posted February 19, 2010 Share Posted February 19, 2010 Did you change the configure.php file also, or just rename the folder? Oh I just renamed the folder. Can you tell me in what directory the configure.php file is and what should I change there? (I have a configuration.php file, not sure if its the same). EDIT: I found the file and have updated everything. All is in order, thanks. Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller Link to comment Share on other sites More sharing options...
acropolis Posted February 20, 2010 Share Posted February 20, 2010 My post should have said server_info.php in admin, not server.info - sorry if this gave you a wrong trail. But for security/PCI compliance purposes I think it is only necessary to remove from the accessible code any instance of phpinfo(). We did not find any admin instances other than in server_info.php (file_manager.php needs to be removed for other reasons). We got rid of references to that and to server_info elsewhere in admin simply for tidiness. You are right to point out that problems can be caused by host technical staff leaving phpinfo files around when they try to be helpful. John Thanks for the informative post. I'd be interested to know exact steps taken here as my host seems to think it's fine to keep leaving a php.info file for all to view on the server when they are problem solving (creating). I removed server.info a long time ago and the link to it in admin - is there something else I need to do? Which code references in admin do I need to remove? Cheers Link to comment Share on other sites More sharing options...
Jenica77 Posted February 21, 2010 Share Posted February 21, 2010 Then we removed server.info - which includes phpinfo() - and code references to it in other admin files. Then at last we found a file called info.php - also with phpinfo() - which I had used a long time ago to get the php version. At a quarter to midnight, we passed the test - Bingo!In all of this I would echo Deborah's 2008 comment:Hope this helps others tackle what can be a rather daunting task. Comments welcome from more experienced contributors, particularly if I have got any of this wrong.John I have two server_info.php files. One is in admin and the other is in admins/includes/languages/english. Should both of these files be deleted? I don't see anything names info.php. Link to comment Share on other sites More sharing options...
tigergirl Posted February 21, 2010 Share Posted February 21, 2010 I have two server_info.php files. One is in admin and the other is in admins/includes/languages/english. Should both of these files be deleted? 1) Remove this code in admin/includes/boxes/tools.php: '<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' . 2) remove the files: admin/includes/languages/english/server_info.php admin/server_info.php 3) Maybe people want to do the same with define_language.php as I don't think that's in this thread already? It's a bit like "file_mangler". I don't see anything names info.php. 4) The file is called phpinfo.php and could be placed above the route or in route, just delete and check regulary that host hasn't put another somewhere. I imagine if server is hacked and this is above route it's still a potential security hole on a shared server. 5) @acropolis - is that all you did - don't get what you mean "all accessible instances of phpinfo()" 6) Don't put the name of your admin folder in robots.txt I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
Jenica77 Posted February 21, 2010 Share Posted February 21, 2010 1) Remove this code in admin/includes/boxes/tools.php: '<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' . 2) remove the files: admin/includes/languages/english/server_info.php admin/server_info.php 3) Maybe people want to do the same with define_language.php as I don't think that's in this thread already? It's a bit like "file_mangler". 4) The file is called phpinfo.php and could be placed above the route or in route, just delete and check regulary that host hasn't put another somewhere. I imagine if server is hacked and this is above route it's still a potential security hole on a shared server. Thank you, I deleted those two files & the reference. I had already done the define_language. I don't see a file called phpinfo.php. I do have one called phplot.php. That's as close as I've seen. Is this a file that is always there (phpinfo) or is it something that some web hosts add? Link to comment Share on other sites More sharing options...
tigergirl Posted February 21, 2010 Share Posted February 21, 2010 Is this a file that is always there (phpinfo) or is it something that some web hosts add? phpinfo.php is not part of osc. Hosts often add it so they can gather info about your installation to help them solve problems. Sometimes they don't bother to remove it and it can be browsed to by anyone giving away details about your setup that could be used maliciously. It's another good reason to have site monitor but that only checks files/ folders below where it is installed so if phpinfo.php is above route on server I think it may still be a hole if server hacked - maybe some experts can comment on that? I find it quite troublesome that some hosts don't take security seriously. I would change them if I knew I'd be better off elsewhere. I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
sarafina Posted February 22, 2010 Share Posted February 22, 2010 Is it possible to have Spooks chime in on whether the server_info.php and phpinfo files should indeed be removed and if so, I think the original post should be amended to include this. Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.